Enabling and disabling two-factor authentication

April 17, 2019 14:34

Updated

Fastly supports two-factor authentication, a two-step verification system, for logging in to the web interface. In a two-factor authentication security process, users provide two means of identifying themselves to the system, typically by providing the system with something they know (for example, their login ID and password combination) and something they have (such as an authentication code). Organizations can enable company-wide two-factor authentication to require all users within the organization to use two-factor authentication.

Before you begin

You'll need to enter an authentication code regularly. Once two-factor authentication has been enabled, an authentication code will be requested upon login at least every 14 days for each computer and browser you use to access the Fastly web interface.

A mobile device is required. Using this security feature with a Fastly account requires a mobile device capable of scanning a barcode or QR code using a downloadable authenticator application. We recommend the following:

Enabling two-factor authentication

IMPORTANT: If your organization has enabled company-wide two-factor authentication, you will be required to set up two-factor authentication when you log in to the Fastly web interface. Skip to step six for instructions.

Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.

IMPORTANT: The QR code above is an example. Scan the one that appears in the Fastly application, not in this guide.

Launch the authenticator application installed on your mobile device and scan the displayed QR code or manually enter the key displayed in the setup window. A time-based authentication code appears on your mobile device. Depending on your device, however, a browser link may first appear. You need to click this link to save it. When you do, the words Secret saved appear briefly.

In the Authentication Code field in the Fastly application, type the time-based authentication code displayed on your mobile device.

ANDROID USERS: A common time syncing issue may cause your authenticator codes to fail. You can correct this using Google's instructions for your authenticator application.

IMPORTANT: If you're ever unable to access your mobile device, the displayed recovery codes can be used to log in when your account has two-factor authentication enabled. Each of these recovery codes can only be used once, but you can regenerate a new set of 10 at any time (any unused codes at that time will be invalidated). Store your recovery codes in a safe place.

After you enable two-factor authentication, logging in to your Fastly account will require your email address and password, and then an authentication code generated by the authenticator application you've installed on your mobile device. By default, the system requires you to authenticate your login using an authentication code at least every two weeks for each computer and browser you use to access the Fastly web interface.

Disabling two-factor authentication

Once two-factor authentication is enabled for your account, you can disable it at any time by following the steps below.

What to do if you lose your mobile device

If you lose your mobile device after enabling two-factor authentication, use a recovery code to log in to your Fastly account. You can continue to use recovery codes to log in until you get your mobile device back. Recovery codes can only be used once, however, so remember to regenerate a new list of codes to avoid running out before you recover your mobile device.

If you do not believe you will be able to recover your lost mobile device and you still have at least two recovery codes left, you can log in with one recovery code and disable two-factor authentication with a second code. Once two-factor authentication is disabled, you can re-enable it with a new mobile device at a later time and regenerate a new set of codes.

Managing two-factor authentication as a superuser

If you are assigned the superuser role for your organization, you can view who has two-factor authentication enabled the User management settings for your Account. Users with this feature enabled have 2FA displayed next to their names.

To disable two-factor authentication for any user within your organization, select Disable 2FA from the menu that appears when you click the gear icon next to that user's name.

Managing two-factor authentication as a company

Organizations can enable two-factor authentication for all of their users. When the company-wide two-factor authentication feature is enabled, all users within the organization are required to use two-factor authentication to log in to the Fastly web interface, and they cannot disable two-factor authentication for their accounts.

Enabling company-wide two-factor authentication

Users assigned the superuser role can enable this feature on the Account page. To enable company-wide two-factor authentication for all users within your organization, follow the steps below.

Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.

In the Customer options area, select Enabled from the Company-wide two-factor authentication controls.

Click Update Customer Options. A warning message appears.

Click Continue. You will be logged out of the Fastly web interface. This completes the setup process for company-wide two-factor authentication.

Resetting a user's two-factor authentication

If company-wide two-factor authentication is enabled, and a user within the organization gets locked out of their account or needs to enable a new device, an account superuser can reset their two-factor authentication. To reset a user's two-factor authentication, follow the steps below.

Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.

Click the User management link.

In the Users area, click the gear icon next to a user and then select Reset 2FA. A warning message appears.

Disabling two-factor authentication for a single user's account

If company-wide two-factor authentication is enabled, a superuser can disable two-factor authentication for a single user's account. This is typically done for user accounts being used for scripts and session authentication. To disable two-factor authentication for a single user's account, follow the steps below.

Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.

Click the User management link.

In the Users area, click the gear icon next to a user and then select Ignore 2FA. A warning message appears.

Click Ignore. Two-factor authentication will no longer be required for the selected user.

Disabling company-wide two-factor authentication

A superuser can disable company-wide two-factor authentication. Once this feature is disabled, existing users within the organization will be able to manage their own two-factor authentication settings, and new users will not be required to set up two-factor authentication to log in to the Fastly web interface. To disable company-wide two-factor authentication, follow the steps below:

Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.

In the Customer options area, select Disabled from the Company-wide two-factor authentication controls.